link to content
Essentials at NC State Home
Help | ResNet | Computing@NC State | For OIT Staff | Publications | Search NC State | Feedback
your unity account
antivirus & security
email & messaging
connections & labs
your computer
software@nc state
files
 » Rules & regs
 » AFS at NC State
    » Access AFS with
       a Macintosh
    » AFS path for a
       URL
    » Restoring a file in
       AFS
 » File storage space
    (disk quota)
 » Printing your files
 » Allowing access to
    files
    » PTS Groups
 » Secure file transfer
 » Managing files in Unix
 » Most-used
    Unix commands
 » Lockers
    (extra file space)
 » Decompress &
    decode files
web pages
education & training
publications
other resources
troubleshooting
ITD Sections

Home » Managing Files » Allowing access to files

Allowing access to files

The first level of security for your own files and those to which you have been granted administrative access is your personal Unity password. Be sure to safeguard it and change it regularly. For more on this important topic, read the page on Unity password.

There are two situations in which you will need to grant other users access to files:

  • When other users are working with a group of shared files in your Home directory in AFS.
  • When you have administrative control over another AFS directory

NC State's AFS software protects files by providing an access control list (ACL) for each directory. It is good practice, especially in your Home directory in AFS, to create a new subdirectory and place in it those files to which you want to grant access. Each user on that subdirectory's ACL can be granted a specific combination of privileges tailored to provide only the access needed by that user. This prevents access to the other files in the main directory.

Keep in mind that all access privileges offer protection at the directory level only, not at the file level, even though some privileges (listed below) allow direct manipulation of files. You can interact with a file only if you have been granted appropriate access privileges to the directory containing that file. Furthermore, whatever directory access privileges you grant to an individual user or group will apply to every file in that directory.

An ACL can contain a maximum of 20 entries. If you need to make a directory accessible to 20 or fewer users, then you can add them to the directory's ACL as individuals. However, you can also add groups to an ACL.To create and manage groups of users, see the page on PTS Groups.

Access privileges

There are seven access privileges, which can be divided into two groups — those that apply to the directory itself and those that apply to files within the directory.

  • Directory privileges
    • lookup (l)
      Allows listing and examining the directory, and accessing subdirectories within it. You must have lookup privileges in order for the other privileges to work properly.
    • insert (i)
      Allows adding files to the directory (creating new files or copying or moving existing files into it).
    • delete (d)
      Allows removing or moving files and subdirectories within the directory.
    • administer (a)
      Allows changing the directory's ACL.
  • File privileges
    • read (r)
      Allows reading (looking at but not changing) the contents of the directory's files.
    • write (w)
      Allows writing (modifying, including deleting) the contents of any file in the directory.
    • lock (k)
      Allows running programs that need to lock files in the directory.

Listing access privileges

  1. From the Unity prompt, change to the directory whose ACL you want to list by typing the following command:
        cd path
    where path is the full AFS path to the directory. Example:
        cd afs/unity.ncsu.edu/directory1/directory2/projects/project6/
    You may need to obtain this path from the information technology personnel in your office or department.

  2. Type: fs la .
    The dot in this command refers to the current directory. For example, if you were user jddoe and you were in your Home directory in AFS, you would get a message similar to this: 
    [sparc03]...jddoe>fs la .
Access list for . is
Normal rights:
  system:administrators rlidwka
  jddoe rlidwka
[sparc03]...jddoe>
    3. In this example, only jddoe and the Unity system administrators can access this directory, and each has full privileges.
    NOTE: Be careful not to change either the system administrator privileges or your own administrative privileges for a directory. Otherwise, you may not be able to access your files.

Setting access privileges

  1. Make sure that you have administrative privileges for every directory whose ACL you'll need to modify. You automatically have them for your Home directory in AFS, and you will need to obtain them for each of the others.

  2. From the Unity prompt, change to the directory by typing the following command:
        cd path
    where path is the full AFS path to the directory. You may need to obtain this path from the information technology personnel in your office or department. Example:
        cd afs/unity.ncsu.edu/www/ncsu/dept1/oit_work/

  3. Once you are in the desired directory and after you have made the two replacements indicated below, type the following command (the dot in this command refers to the current directory):
        fs sa . user privileges
    Replace:
    user with the Unity ID of the person or the designation of the PTS group whose privileges you wish to change.
    privileges with the letter(s) representing the specific privilege(s) you wish to give the user.

    NOTE: To access any subdirectory a user must have at least "lookup" access to all the directories that contain it.

    Examples:
    • To allow the individual user ksmith to "read" and "list" the files in the directory (but not write to them):
      fs sa . ksmith rl
    • To allow the PTS group named econweb:study1 to "read" and "list" the files in the directory as well as modify them ("write"):
      fs sa . econweb:study1 rlw
    • To allow anyone "read" and "lookup" access to the directory:
      fs sa . system:anyuser rl

  4. To verify the changes you have made, use the fs la . command (see above).

Removing access privileges

To remove an individual user or group from an ACL,

  1. From the Unity prompt, change to the directory whose ACL you need to modify by typing the following command:
        cd path
    where path is the full AFS path to the directory. You may need to obtain this path from the information technology personnel in your office or department. Example:
        cd afs/unity.ncsu.edu/www/ncsu/dept1/OIT_work/

  2. Once you are in the desired directory and after you have made the replacement indicated below, type the following command (the dot in this command refers to the current directory):
        fs sa . user none
    Replace user with the Unity ID of the person or the designation of the PTS group whose privileges you wish to change. Example:
    To remove all access privileges to the directory for the PTS group named econweb:study1:
        fs sa . econweb:study1 none.

  3. To verify the changes you have made, use the fs la . command (see above).


Last modified March 3, 2008 by cawalker

jump to content
jump to content Go to page top Page Top | OIT | PolicyDisclaimer